CISOs Hit the Bottle as Workplace Pressures Build – Infosecurity Magazine:

I’ve largely stopped writing about the latest study or industry analysis white paper. Rarely to they shed much new light on security. This is an exception. The statistics in the article are jaw-dropping if close to accurate. But this is the part that is scary:

As a result of these factors, the pressure is reaching boiling point for many.

Over a quarter (27%) of CISOs polled said stress is impacting their mental or physical health, while 23% said the role is damaging their personal relationships. Even worse, 17% admitted they had turned to medication or alcohol to deal with workplace stress.

Mental, emotional, and physical health all can take their toll on well-being. But that 17% number is just as telling – what happens during an event when the head of the organization is blotto?

“It’s no surprise that CISOs are facing burnout. Many lack support from within their organizations, and senior business leaders need to face the facts: the threats are real, and CISOs need to be given the resources and support to tackle them. If not, the board must face the consequences.”

The lack of support feeds into the cycle. Even if the CISO does have a health or substance problem there may not be the mechanisms in place to manage a response in lieu of top leadership. I wonder how may DR/BC/IR tabletop exercises cover absent or impaired leadership?

Tim Harford — Article — Lessons from the wreck of the Torrey Canyon:

On Saturday March 18 1967, around half past six in the morning, the first officer of the Torrey Canyon realised that his vessel was in the wrong place. The 300-metre ship was hurrying north past the Scilly Isles, 22 miles off the tip of Cornwall in the south west of England, with more than 119,000 tonnes of crude oil. The aim was to pass west of the islands, but the ship was further east than expected.

The officer changed course, but when the sleep-deprived captain Pastrengo Rugiati, was awoken, he countermanded the order. A two-hour detour might mean days of waiting for the right tides, so Capt Rugiati decided instead to carry on through the treacherous channel between the Scilly Isles and the mainland.

Most serious accidents have multiple causes. A series of mistakes or pieces of bad luck line up to allow disaster. The Torrey Canyon was hampered by an unforgiving schedule, barely adequate charts, unhelpful winds and currents, confusion over the autopilot, and the unexpected appearance of fishing boats in the intended course. But reading Richard Petrow’s contemporary account of the Torrey Canyon disaster, a clear lesson is that Capt Rugiati was too slow to adjust. He had a plan, and saw far too late that the plan was doomed to failure — and with it, his ship.

Some accident investigators call this “plan continuation bias”. Airline pilots sometimes call it “get-there-itis”. The goal appears within touching distance; it’s now or never. Tunnel vision sets in. The idea of a pause or a change of approach becomes not just aggravating, expensive or embarrassing — it becomes literally unthinkable.

In such circumstances aeroplanes have crashed after trying to land in bad weather because the destination airport was so temptingly close. Patients have died of oxygen starvation because doctors and nurses fixated on clearing blocked airways rather than checking whether an oxygen pump was working. And the Torrey Canyon ran aground, producing the world’s first major oil tanker disaster.

We’ve all experienced “get-there-itis”. For me, it tends to emerge when dealing with family logistics. One child needs to go somewhere, another must be picked up from school. Then it turns out that someone needs to be at home to receive a delivery; the car is in for a service; the babysitter calls to cancel.

The plan seems feasible at first, but as complications mount, it starts to resemble an increasingly precarious assembly of stages and steps, lift-swaps and rendezvous, a Rube Goldberg fever-dream of an itinerary. 

Read the whole article for more instances, as well as an appraisal around Brexit. My main takeaway is this:

If I’m lucky, someone finds the mental space to see clearly the fragility of it all. Someone suggests a cancellation or two, replacing the entire time-and-motion nightmare with something radically simpler.It’s that moment of clarity that is so often missing. Haste makes things worse …

That Apple revoked the developer certificates of * isn’t news any more. That they’re the 1st & only, and it took them so so long, is news.

Relentlessly Lowering Expectations:

We always compare performance on a relative basis. “Well, it’s better than it was yesterday…”

Toddlers, for example, seem like geniuses compared to the babies they used to be.

Some people around us have embraced a strategy of always lowering expectations so that their mediocre effort is seen as acceptable. Over time, we embrace the pretty good memo or the decent leadership moment, because it’s so much better than we feared.

And some? Some relentlessly raise expectations, establishing a standard that it’s hard to imagine exceeding. And then they do.

If you’ve been cornered into following, working with or serving someone in the first group, an intervention can be rewarding. For you and for the person trapped in this downward cycle.

Raising our expectations is a fine way to raise performance as well.

(Via Seth’s Blog)

I get Seth’s point, but I argue that he is missing two huge constituencies: those who don’t know yesterday and those who know they need to do better than yesterday.

In my field, the first are an ever diminishing group of organizations that think their cybersecurity blindness coupled with a lack of known breach means they’re “ok”. Maybe their business risk allows them their naïve approach. Time and experience will eventually come to call. 

Then there are the other group, those that know that what they’ve been doing (or not doing) is no longer sufficient. They’re deciding to make a change to improve. Maybe they’re asking for outside help. Maybe what they see in front of them seems insurmountable in time, resources, money, and patience.

For this second group, being better than yesterday can be motivating and empowering.

I agree with Seth that lowering expectations to make middling effort seem effective is bad. It’s always eventually self-defeating. Good metrics, analytics, and reporting addresses this in all but the softest of skills and sciences.

Yet, sometimes, the appearance of success will breed success where there was little or none. Don’t discount the placebo effect.

American Phone Companies Are Literally Letting Their Networks Fall Apart:

Once as important as the American railroad and electrical grid, American phone companies aren’t quite what they used to be. With the use of copper-based landlines having plummeted the last few years, many of the nation’s phone companies have understandably attempted to shift their business models toward new, more profitable sectors like video advertising.

The problem: many of their aging fixed-line networks were not only built on the backs of billions in taxpayer subsidies, they’re very much still in use—and for many, slow, expensive DSL is the only broadband available. But with no local competition and local and federal oversight eroded by lobbying—many of these companies have simply stopped caring.

Case in point: Minnesota Attorney General Lori Swanson last week released a scathing 133-page report highlighting how the state’s incumbent phone company, Frontier Communications, has increasingly refused to upgrade its aging network, often taking months to make repairs, putting those with medical conditions at risk.

“The findings of this investigation detail an extraordinary situation, where customers have suffered with outages of months, or more, when the law requires telephone utilities to make all reasonable efforts to prevent interruptions of service,” the state AG said.

“Frontier customers with these outages include those with family members with urgent medical needs, such as pacemakers monitored by their medical teams via the customer’s landline,” said the AG, which notes Frontier violated more than 35 state laws and rules by failing to respond to customer repair requests in a reasonable timeframe.

The report, based on data collected from over 1,000 complaints and half-a-dozen public hearings, provides photographic evidence of the company’s neglected network, including network pedestals left abandoned to the elements:

Christopher Mitchell is the Director of the Community Broadband Networks Initiative, which helps local communities explore connectivity alternatives to apathetic monopolies. Mitchell told me via email such neglect is routine for companies that don’t want to upgrade aging DSL lines, yet simultaneously lobby for laws banning towns and cities from building better networks.

“State and federal elected officials have been negligent in allowing companies like Windstream [another lagging U.S. phone company] and Frontier—particularly for a business model that is mining a public safety telephone system for all it is worth—to charge as much as they can until the network literally rots,” Mitchell said.

One problem is that internet voice and VOIP services became more common in the early aughts, the nation’s phone companies used this surge in voice competition to convince both state and federal lawmakers meaningful oversight was no longer necessary. Now, for every state like Minnesota, there’s countless states that do little to nothing about this dysfunction.

The result are companies that can’t even technically offer even the FCC’s base definition of “broadband” (25 Mbps), yet often charge the same or higher prices users in more developed areas pay for gigabit (1000 Mbps) broadband. All while actively undermining local community efforts to build better, faster broadband networks.

Mitchell pointed to numerous examples where Frontier executives and lobbyists have attempted to sue, hinder, or otherwise hamstring local efforts to bring better service to these long-neglected areas. If Frontier doesn’t want to upgrade its lines, Mitchell noted, the least it can do is get out of the way of those looking at creative, local alternatives.

“In 2019, any policy maker that listens to a lobbyist from Frontier should be held criminally negligent,” Mitchell said.

Cable operators certainly appreciate phone companies’ apathy. Consumers with an actual choice in broadband providers are fleeing to cable at an unprecedented rate. This cable monopoly (especially at faster speeds) in turn gives cable operators carte blanche to raise rates, impose arbitrary usage caps, and ignore their own failures on the customer service front.

And while next-gen wireless networks may provide an additional competitive option to some of these neglected users in time, we’ve discussed at length how wireless isn’t going to be a magic bullet on this front due to geographical limitations, bandwidth usage restrictions, and high prices.

With neither competition nor government accountability to force its hand, most American phone companies now operate in an accountability vacuum. And while users that can flee to alternative options continue to do so, there’s still millions of Americans stuck with companies making it very clear that actually giving a damn about paying customers is among their lowest priorities.

(Via Motherboard)

Corporations should be up in arms about this. The amount of redundancy and resilience in telco providers’ networks should trigger all kinds of alarms around business continuity and disaster recovery planning. And don’t forget, just because you have two telcos doesn’t mean they are on separate infrastructure. I learned this the hard way when I found out my redundant, path and provider diverse circuits for Western Michigan were none of the above – it all ran through one legacy card in one legacy chassis in one un-manned substation. That was not a good Friday, although it fell on Good Friday.

On the Necessity of Rest and Relaxation by Shawn Blanc:

Greg McKeown, from his book, Essentialism:
> If you believe being overly busy and overextended is evidence of productivity, then you probably believe that creating space to explore, think, and reflect should be kept to a minimum. Yet these very activities are the antidote to the nonessential busyness that infects so many of us. Rather than trivial diversions, they are critical to distinguishing what is actually a trivial diversion from what is truly essential.
I like this.

Psychology’s five revelations for finding your true calling:

Look. You can’t plan out your life. What you have to do is first discover your passion – what you really care about.

Barack Obama

If, like many, you are searching for your calling in life – perhaps you are still unsure which profession aligns with what you most care about – here are five recent research findings worth taking into consideration. 

First, there’s a difference between having a harmonious passion and an obsessive passion. If you can find a career path or occupational goal that fires you up, you are more likely to succeed and find happiness through your work – that much we know from the deep research literature. But beware – since a seminal paper published in 2003 by the Canadian psychologist Robert Vallerand and colleagues, researchers have made an important distinction between having a harmonious passion and an obsessive one. If you feel that your passion or calling is out of control, and that your mood and self-esteem depend on it, then this is the obsessive variety, and such passions, while they are energising, are also associated with negative outcomes such as burnout and anxiety. In contrast, if your passion feels in control, reflects qualities that you like about yourself, and complements other important activities in your life, then this is the harmonious version, which is associated with positive outcomes, such as vitality, better work performance, experiencing flow, and positive mood.

Secondly, having an unanswered calling in life is worse than having no calling at all. If you already have a burning ambition or purpose, do not leave it to languish. A few years ago, researchers at the University of South Florida surveyed hundreds of people and grouped them according to whether they felt like they had no calling in life, that they had a calling they’d answered, or they had a calling but had never done anything about it. In terms of their work engagement, career commitment, life satisfaction, health and stress, the stand-out finding was that the participants who had a calling they hadn’t answered scored the worst across all these measures. The researchers said that this puts a different spin on the presumed benefits of having a calling in life. They concluded: ‘having a calling is only a benefit if it is met, but can be a detriment when it is not as compared to having no calling at all’.

The third finding to bear in mind is that, without passion, grit is ‘merely a grind’. The idea that ‘grit’ is vital for career success was advanced by the psychologist Angela Duckworth of the University of Pennsylvania, who argued that highly successful, ‘gritty’ people have impressive persistence. ‘To be gritty,’ Duckworth writes in her 2016 book on the subject, ‘is to fall down seven times, and rise eight.’ Many studies certainly show that being more conscientious – more self-disciplined and industrious – is associated with more career success. But is that all that being gritty means? Duckworth has always emphasised that it has another vital component that brings us back to passion again – alongside persistence, she says that gritty people also have an ‘ultimate concern’ (another way of describing having a passion or calling). 

However, according to a paper published last year, the standard measure of grit has failed to assess passion (or more specifically, ‘passion attainment’) – and Jon Jachimowicz at Columbia Business School in New York and colleagues believe this could explain why the research on grit has been so inconsistent (leading to claims that it is an overhyped concept and simply conscientiousness repackaged). Jachimowicz’s team found that when they explicitly measured passion attainment (how much people feel they have adequate passion for their work) and combined this with a measure of perseverance (a consistency of interests and the ability to overcome setbacks), then the two together did predict superior performance among tech-company employees and university students. ‘Our findings suggest that perseverance without passion attainment is mere drudgery, but perseverance with passion attainment propels individuals forward,’ they said.

Another finding is that, when you invest enough effort, you might find that your work becomes your passion. It’s all very well reading about the benefits of having a passion or calling in life but, if you haven’t got one, where to find it? Duckworth says it’s a mistake to think that in a moment of revelation one will land in your lap, or simply occur to you through quiet contemplation – rather, you need to explore different activities and pursuits, and expose yourself to the different challenges and needs confronting society.

Yes!

If you still draw a blank, then perhaps it’s worth heeding the advice of others who say that it is not always the case that energy and determination flow from finding your passion – sometimes it can be the other way around and, if you put enough energy into your work, then passion will follow. Consider, for instance, an eight-week repeated survey of German entrepreneurs published in 2014 that found a clear pattern – their passion for their ventures increased after they’d invested more effort into them the week before. A follow-up study qualified this, suggesting that the energising effect of investing effort arises only when the project is freely chosen and there is a sense of progress. ‘Entrepreneurs increase their passion when they make significant progress in their venture and when they invest effort out of their own free choice,’ the researchers said.

There is the concept of the craftsman approach put forth by Cal Newport and others, to which I subscribe.

Finally, if you think that passion comes from doing a job you enjoy, you’re likely to be disappointed. Consider where you think passion comes from. In a preprint paper released at PsyArXiv, Jachimowicz and his team draw a distinction between people who believe that passion comes from doing what you enjoy (which they say is encapsulated by Oprah Winfrey’s commencement address in 2008 in which she said passions ‘bloom when we’re doing what we love’), and those who see it as arising from doing what you believe in or value in life (as reflected in the words of former Mexican president Felipe Calderón who in his own commencement address in 2011 said ‘you have to embrace with passion the things that you believe in, and that you are fighting for’).

The researchers found that people who believe that passion comes from pleasurable work were less likely to feel that they had found their passion (and were more likely to want to leave their job) as compared with people who believe that passion comes from doing what you feel matters. Perhaps this is because there is a superficiality and ephemerality to working for sheer pleasure – what fits the bill one month or year might not do so for long – whereas working towards what you care about is a timeless endeavour that is likely to stretch and sustain you indefinitely. The researchers conclude that their results show ‘the extent to which individuals attain their desired level of work passion may have less to do with their actual jobs and more to do with their beliefs about how work passion is pursued’.

This is an adaptation of an article originally published by The British Psychological Society’s Research Digest.

(Via Aeon)

CISOs Find Collaboration Improves Resiliency:

The Advanced Cyber Security Center (ACSC) has published its first annual report, Leveraging Board Governance for Cybersecurity, the CISO / CIO Perspective, the results of which highlight the need for boards to be active governance partners in collaborative cyber defense.

Recognizing the shared value of collaboration across organizational functions and between and among organizations when talking about cyber defense, the ACSC report calls upon boards to adopt a holistic and dynamic understanding of their organization’s cybersecurity responsibilities. In addition, boards are encouraged to maintain continuous direct access to CISOs and risk officers as well as with CIOs and other executives.

The report found, “For the most part, boards are not in a position to provide strategic guidance on cyber risk,” said Michael Figueroa, executive director of the ACSC in a press release. “In particular, the ACSC report has identified a need for a risk standard, much like those frameworks that financial and audit risk functions have refined over decades, that would help guide decision making and operations as they relate to cyber risk management.”

As part of the study, 20 ACSC member CISOs and CIOs from a wide range of organizations across multiple sectors worked in conjunction with four outside experts. Collectively, the focus group shared perspectives which revealed common themes and perceptions about board engagement as it relates to board-management relationship.

““I can’t help but agree with the observations, in that all but the smallest organizations should have the CISO role defined as the go-to person for security,” said Mukul Kumar, chief information security officer and VP of cyber practice at Cavirin.

“He or she manages up to others in the C-suite and the board, and ties together strategy across DevOps, SecOps, risk and compliance.  The best example of a failure to clearly establish roles, responsibilities and lines of reporting is clearly outlined in the House committee report on the Equifax breach.”

According to the report findings, the board-management relationships are only in the nascent or maturing stages, which indicates that in most cases the boards are not effectively guiding management in making strategic risk-based decisions.

In addition, most boards are bereft of individuals with any real cyber expertise. The report recommended that they should make efforts to recruit members who can augment the board’s ability to build strategic partnerships that provide guidance specifically related to cyber risk.

“Boards should prioritize and support senior management’s development of a new generation of outcome-based cyber risk management frameworks, and in the meantime, executives should use only a few operational metrics with boards,” the report stated.

(Via Infosecurity)

I see articles like this one, reporting on reports like this one, and only in specific circumstances do we see the kind of collaboration prescribed.

What to Do When You Think You’re About to Get Fired by Whitson Gordon:


Kyle Platts
Things have gone from bad to worse at your job. Maybe the company’s showing signs of financial trouble or your boss has given you more than a couple stern warnings about your performance. If you have an inkling that your job might be in jeopardy, here’s how to prepare yourself.

Don’t wait to do this things when you get an inkling. Plan for the worst so you’re ready when it happens.

Get direct feedback and look for the signs

“In theory, you should be getting feedback along the way if you aren’t doing well,” said Kim Scott, the author of “Radical Candor: Be a Kickass Boss without Losing your Humanity.” “Solicit feedback well before you think there’s a problem. Either you’ll be reassured that things are not as bad as you think they are, or you’ll hopefully get some feedback you can use.”
Come up with a go-to question you ask with some frequency. Merely asking “do you have any feedback for me?” isn’t always going to help. Instead, put your manager on the spot and ask a more direct question like, “What can I do to make it easier to work with me?” Give your boss time to answer — at least six seconds of uncomfortable silence is usually enough — and don’t get defensive when they reply.
Of course, not all organizations are run so well. In some, getting feedback may be like pulling teeth. In others, they may not say explicitly that your job is in danger, so you’ll have to read between the lines.
Ideally, that will give you something to work with, and you may even be able to keep your job. If not, though, you’ll at least be able to say you gave it your all.

Document what your manager says, too.

Prepare for the worst now

If all signs point to a potential firing in the near future, it’s time to get your ducks in a row. “When you’re fired or laid off, it is very likely that you’ll be asked to leave right away,” said Alison Green, the author of the Ask a Manager website and book. “You may be allowed to go back to your desk to grab some personal items, but you’re probably going to be locked out of your computer.”
So start thinking now about the stuff you’ll want to have with you when you leave — contact information for friends and useful connections, statistics that might bolster future job interviews, or anything else that might come in handy. Just be sure not to take anything confidential or that you’ve signed an agreement not to take.
It’s also a good idea to make any medical appointments you might need before your health insurance goes away. Similarly, make sure you have a healthy emergency fund in your savings account, if you can: enough money to get you through a few months (experts suggest three to six) without your regular salary. This will make things a lot less stressful when the hammer finally comes down.
Next, Ms. Green said, “read your employee handbook. You might find things in there about separation procedures. It might prompt you to start thinking about negotiating a neutral reference, or you might find out if they pay for unused vacation.” These types of logistics are easy to forget when you’re in that fateful meeting, so if you think about them beforehand, you’ll be well prepared for anything that comes your way.
There are, however, a couple things you’ll need to discuss during the meeting. First, agree on a story about why you left. “Sometimes you can negotiate with your employer, and they will agree to say you weren’t fired,” said Ms. Green. In some cases, they may agree to just confirm your dates of employment when called for a reference. “The time to do that is in the meeting, when the firing is happening, because they have an incentive to wrap this up as pleasantly as possible.” You might even be able to negotiate for more severance.

In the U.S. and a lot of other countries, there is a difference between being laid off and being fired.

Fired usually implies cause: poor performance, insubordination, incompetence, criminal activity, or violating terms of employment (sexual harassment, racism, &t.) Fired for cause will often include a history of poor reports in one’s personnel file. Being laid off is better. It implies you were “let go” for general staff reductions or as part of a reorganization but not for poor performance or criminal activity.

Negotiating severance that this point is important. When I was laid off many years ago I was able to double my severance plus get a career coach, access to resources, and some other things that helped me find a great job just before my severance ran out.

Finally, try to turn that meeting into a learning opportunity. “If you’re not too devastated by having gotten fired, this is a great opportunity for you to get the feedback that you didn’t get earlier,” Ms. Scott said. Ask what you can do better, so you don’t find yourself in the same situation next time. “Then I would ask my boss, ‘Where do you see me working? What kind of opportunity do you think I would thrive in?’ If the boss is a total jerk, you’re probably not going to get any useful information, but usually people have an idea of where you would really do well.”

This is fantastic advice.

Hit the ground running at your next job

Don’t wait until you’ve been fired to start searching for your next job. “As soon as you start being worried, start the job search,” Ms. Green said. “Reconnect with your network, and start looking around at what’s out there.” Make a list of everyone you know who might be able to offer you work — or might know someone who could. If you’re in a field where freelancing is common, see if you can line up some potential freelance work during the gap. “The sooner that you can start, the better,” said Ms. Green. “You don’t want to go home from that meeting and be at square one.”

Always have “irons in the fire” even if things look good at work. It will keep you in-tune with the marketplace, help you focus your training and experience to that market, and maybe that next great opportunity comes along.

Hopefully, that will help you line up interviews quickly. Just make sure you’re prepared to answer the question of why you left your last job. You don’t have to say “I was fired,” necessarily, but don’t lie outright, since the interviewer will likely talk to your former boss. Instead, come up with a brief, nondefensive explanation of why it didn’t work out. Ms. Scott offered a simple script: “You could say something like ‘I realized that I’m really not well-suited for XYZ kind of opportunities. But that’s why this job is really appealing to me, because I’ll be playing to my strengths.'” If you can show that you’re a person who takes feedback and learns from your experiences, good employers will take notice.
Finally, remember that no amount of preparation can inoculate you against the blow to your ego. Give yourself a few days to recover, but try to shift your focus to the future. “The road to insanity in these situations is obsessing about injustice,” said Ms. Scott. “Sometimes there really is injustice, and you may want to take action. But usually, it’s a better return on investment of your time to get a new great job.” After all, the best revenge is a life well lived.

Agreed. The Stoic practice of negative visualization can help with this. Prepare for the fact that you may not be able to be as prepared as you might like.

You can check put my previous posts titled “Preparing for the Pink” on this very topic here, here, here, and here. I should collect these into a page for easy navigation, so na?

Cyber-insurance shock: Zurich refuses to foot NotPetya ransomware clean-up bill – and claims it’s ‘an act of war’:

Snack company client disagrees, sues for $100m

US snack food giant Mondelez is suing its insurance company for $100m after its claim for cleaning up a massive NotPetya ransomware infection was rejected – for being “an act of war” and therefore not covered under its policy.

Zurich American Insurance Company has refused to pay out on a Mondelez policy that explicitly stated it covered “all risks of physical loss or damage” as well as “physical loss or damage to electronic data, programs, or software, including loss or damage caused by the malicious introduction of a machine code or instruction.”

The claim stems from the 2017 NotPetya cyberattack: a Windows-based piece of ransomware that encrypted a hard drive’s file system table and prevented the system from booting. The code then demanded that a Bitcoin payment be made to regain access. Mondelez says it lost 1,700 servers and 24,000 laptops as a result of the malware.

The Register has an almost uncharacteristically restrained take on this. This bit about Zurich trying not to pay out is particularly interesting:

That is a very unusual position to take – Mondelez called it “unprecedented” in court papers – since the insurance company will be obliged to prove that it was in fact the Russian government that had carried out the attack as a hostile action. It is notoriously difficult to pin cyberattacks on specific groups, governments or organizations.

If Zurich does succeed in arguing in case in court and wins, it would have an immediate impact, causing all large companies to review their policies and most likely creating a new market in cyberattack insurance almost overnight.

Why did Zurich come to this conclusion? Infosecurity provides a good summary.

Zurich Refuses to Pay Out for NotPetya ‘Act of War’:

Led by the UK, the Five Eyes nations came together in February last year to blame Russia for the attacks in June 2017.

“The attack showed a continued disregard for Ukrainian sovereignty. Its reckless release disrupted organizations across Europe costing hundreds of millions of pounds,” a Foreign Office statement noted at the time.

However, despite their strong statements, the governments didn’t produce hard evidence to back up their claims, which could make it difficult for Zurich to prove its case, according to experts.

… NotPetya cost losses that ran into the hundreds of millions for the likes of FedEx, Maersk, Merck and many more. It was claimed in November that they have now exceeded $3bn.

I thought this analysis was interesting in that a security practitioner provided it and not someone from the insurance sector (from the same article):

The insurer should instead have invoked a gross negligence clause, because Mondelez was hit by the same ransomware twice, argued Igor Baikalov, chief scientist at Securonix.

“The ‘fool me once’ proverb is fully applicable here: while many companies fall victims to ransomware, one of the first steps to recovery is to make sure it doesn’t happen again,” he added.

“Zurich is likely taking one for the team here, testing the waters for the whole insurance industry on the efficiency of the war exclusion and their ability to attribute attacks to a nation-state. I wonder who insures the insurers: what kind of cybersecurity protection is on Zurich’s own policy?”

ZDNet offers their own take in NotPetya an ‘act of war,’ cyber insurance firm taken to task for refusing to pay out:

NotPetya is a type of ransomware similar to Petya but it received a raft of upgrades and increased in sophistication before being released to the point researchers separated the malware out into its own family.

The ransomware will often use the EternalBlue and EternalRomance exploits to propagate. Once executed on a vulnerable Windows machine, the malware will reboot the system and overwrite the master boot record (MBR) with a custom loader and a ransomware note which demands $300 in Bitcoin (BTC).

As reported by Bloomberg, the Mondelez-Zurich dispute has been given an interesting facet in the field of cyber insurance due to attribution, and one which has the potential to prompt insurance companies worldwide to reexamine their policies.

… While the insurance policy covered “physical loss or damage to electronic data, programs, or software” by way of “the malicious introduction of a machine code or instruction,” Zurich apparently chose not to pay up, citing the NotPetya spread as “hostile or warlike action in time of peace or war,” which, therefore, voided the claim.

Marsh & McLennan argues, however, that as NotPetya struck non-military targets who operated “at places far removed from the locale or the subject of any warfare;” the damage caused was purely economic rather than resulting in any loss of life or injury, and “the chaos caused by NotPetya bore greater resemblance to a propaganda effort rather than a military action intended for “coercion or conquest,” which the war exclusion was intended to address.”

“As cyber-attacks continue to grow in severity, insurers and insurance buyers will revisit the issue of whether the war exclusion should apply to a cyber incident,” said Matthew McCabe, senior VP of Marsh. “For those instances, reaching the threshold of “warlike” activity will require more than a nation-state acting with malicious intent […] most nation-state hacking still falls into the category of criminal activity.’

This confluence of cyber-insurance, attribution, and security hygiene will prove interesting to see play out. I’m no fan of attribution generally and think too many organizations look at cyber-insurance as a “get out of jail free” card for immature security hygiene and responsibility avoidance.

As I have no particular insight into this specific case other than what the press reports. I will stay tuned (via the above ZDNet citation):

The case, filed with the Cook County court in Illinois (case: 2018 L 011008), alleges that Spanish food giant Mondelez’ insurance company Zurich did not pay out following the attack, which took place in 2017.